Cyber Threats in Pharmaceutical Manufacturing: How to Secure Critical Operations

Across the pharmaceutical manufacturing industry, brands and companies are experiencing a stark wake-up call about data security. Thanks to the highly sensitive data stored by drug research and biotechnology companies, their operations are becoming increasingly appealing to cyber criminals.

High-profile firms such as Sun Pharmaceuticals, based in India, have reported cyber attacks that have leaked thousands of sensitive customers’ and employees’ data. In this case, the company fell prey to a ransomware group, which led to the brand stepping up its security efforts.

Let’s consider the wider implications of evolving threats in pharmaceutical manufacturing, and how companies can better secure their data with attack vectors constantly evolving.

The Evolving Cyber Threat Landscape in Pharmaceutical Manufacturing

Cyber threats posed to the pharmaceutical industry continue to drive up costs, taking into account the amount of money required to repair the fallout and restore reputation. According to IBM’s Cost of a Data Breach report, companies in the industry spend an average of $5.1 million per breach. Comparing the data with 2023’s report, this is an increase of $288,000 year-on-year..

Although the industry is at the forefront of adopting evolving technology such as machine learning and artificial intelligence (AI), many companies simply aren’t enhancing their cybersecurity fast enough to keep up with evolving threats.

For example, given the intensive digitization of sensitive records the industry has overseen in the past decade, experts feel that attack surfaces – or, opportunities for hackers – have expanded significantly.

The research paper dives deeper into how pharma firms could use AI to make cybersecurity more efficient and effectively play hackers at their own game.

As technology evolves, so will hacking techniques, and the tools used by attackers targeting pharmaceutical manufacturing. Thankfully, there are several ways that companies in the industry can keep their operations robust.

Key Cyber Threats Facing the Pharmaceutical Industry

Some of the most challenging cyber threats currently affecting pharmaceutical manufacturing firms include:

• Ransomware: A type of malware that locks down data and systems until a financial ransom is paid. It accounts for around 27% of all malware attacks right now, and in pharmaceuticals, it can lead to the locking down and even loss of life-saving research and development.
• Supply chain attacks: Given the pharmaceutical industry’s reliance upon third-party supply and distribution (e.g., for raw materials and logistics), it’s unsurprising that denial of service attacks – which can overload and take supply chains offline – are considered major threats.
• Insider threats: In some cases, bad actors within pharma firms can take advantage of lax access control systems or known flaws to leak sensitive data or steal research.
• Data breaches: Data breaching – an umbrella term covering the act of breaking into a pharma firm’s systems and accessing information – is an increasing concern. For pharmaceutical companies, data such as patient records, capital, and critical research property are all at risk of being stolen.
• Third party threats: When reliant on cloud operations or mergers where several third party companies are involved, pharma firms are at risk of their cybersecurity weaknesses as well as their own.
• Phishing and social engineering: In some cases, bad actors can convince pharma employees to grant them access to sensitive records and internal databases by convincing them of their legitimacy. They can do so through confidence tricks, or even by supplying false links that lead to data harvesting.

All of the above can be made more efficient and more devastating through the use of automation and generative AI. For example, some hackers run automated tools to brute-force guess unsecure passwords and bypass pharmaceutical access controls.

Strategies for Securing Critical Operations

While there is no explicit, single strategy that all pharmaceutical companies should follow to secure their critical operations, there are still several options they should take to proactively protect their data. These can include:

• Intensive, regular training: Keeping pharma staff up to date on the latest threat vectors, how to strengthen passwords and protect data, and what to look out for in terms of social engineering can help prevent major breaches.
• Penetration testing: Penetration tests are organized, ethical attacks run by cybersecurity experts to find potential weaknesses and vulnerabilities in systems and infrastructures. Run at least twice yearly, penetration testing can help pharma companies keep stock of weaknesses and ensure they’re up to speed with the latest threats.
• Multi-factor authentication (MFA): Research and development teams should not only create strong passwords or use biometrics in access control, but also consider MFA. MFA is an extra layer of security that employees must pass before they can access data – such as by scanning a physical barcode, or accessing a unique device or app.
• Data encryption: By encrypting sensitive data stored and shared across its systems, pharmaceutical companies can prevent attackers from being able to use any information they might access.
• Cybersecurity frameworks: Frameworks for the pharmaceutical industry, such as ISO 9001 and ISO 14001, can help companies plan for and carry out cybersecurity measures.

Regulatory Compliance and Industry Standards

Data security is paramount within the pharmaceutical industry, not only for consumer protection but also for compliance. In particular, US pharmaceuticals are strictly regulated by the Code of Federal Regulations, or CFR, which helps ensure companies keep information safe and produce drugs and other materials safe for public distribution.

21 CFR Part 11, specifically, requires pharmaceutical companies to keep stringent electronic records and signatures, and to ensure they remain trustworthy. By following recommended cybersecurity standards, pharma companies can continue to abide by the regulations set.

Conclusion

Thanks to the sensitive nature of the data they work with, pharmaceutical companies are at high risk from hackers and malicious actors seeking financial gain and to wreak reputational damage. However, lax cybersecurity measures in place following digitization and ETL pipeline development, for example, can leave these firms more vulnerable than expected.

Therefore, it’s essential for pharma companies to take their cybersecurity postures seriously – and to work with proactive, forward thinking experts who can test and implement prevention measures that keep up with evolving threats.

Author Bio:

Michael Aminzade is Vice President of Managed Compliance Services at VikingCloud and has over 26 years of experience within cyber, information security and compliance industries. Michael’s experience covers the full spectrum from internal information security where he has been the CISO for a large global service provider to running large global consulting teams.  As an industry leader, Michael often has articles published across different publications such as Computer Weekly and Compliance Today. Michael is often asked to speak at different events such as RSA, InfoSec Europe, and Black Hat.